feat!(stackable-certs): Support adding SAN entries

[sbernauer]

Description

As #1044 didn't move along, splitting the relevant change out to unblock CRD versioning.

Definition of Done Checklist

• Not all of these items are applicable to all PRs, the author should update this template to only leave the boxes in that are relevant
• Please make sure all these things are done and tick the boxes

Author

• Changes are OpenShift compatible
• CRD changes approved
• CRD documentation for all fields, following the style guide.
• Integration tests passed (for non trivial changes)
• Changes need to be "offline" compatible

Reviewer

• Code contains useful comments
• Code contains useful logging statements
• (Integration-)Test cases added
• Documentation added or updated. Follows the style guide.
• Changelog updated
• Cargo.toml only contains references to git tags (not specific commits or branches)

Acceptance

• Feature Tracker has been updated
• Proper release label has been added

[NickLarsenNZ]

Just some changes to the changelog, and the rest (I think) are only suggestions.

[NickLarsenNZ]

I find these a little bit of a handful and would tend to prefer this:

Suggested change

	Ok(GeneralName::DnsName(Ia5String::new(dns_name).context(
	ParseSubjectAlternativeDnsNameSnafu {
	subject_alternative_dns_name: dns_name.to_string(),
	},
	)?))
	let ia5_dns_name = Ia5String::new(dns_name).context(
	ParseSubjectAlternativeDnsNameSnafu {
	subject_alternative_dns_name: dns_name.to_string(),
	},
	)?;
	Ok(GeneralName::DnsName(ia5_dns_name))

You're welcome to ignore this suggestion

[NickLarsenNZ]

Even better if we had a TryFrom impl, we could then do:

        let sans = subject_alterative_dns_names
            .into_iter()
            .map(GeneralName::try_from)
            .collect::<Result<Vec<_>, Error>>()?;

[NickLarsenNZ]

I disagree that it is needed.

It is only needed when you want to use the certificate with multiple names (in addition to the commonName). So while it is common, it isn't correct to say that it is needed due to modern validation impls.

Unless I've been hiding under a rock and you have seen problems validating on commonName alone?

Suggested change

	this is needed for basically all modern TLS certificate validations when used with HTTPS.
	this is often needed.

or

Suggested change

	this is needed for basically all modern TLS certificate validations when used with HTTPS.
	this is needed when the HTTPS server is accessible on multiple DNS names and/or IPs.

[NickLarsenNZ]

Suggested change

	- BREAKING: The constant `DEFAULT_CA_VALIDITY_SECONDS` has been renamed to `DEFAULT_CA_VALIDITY` and now is of type `stackable_operator::time::Duration`.
	Also, the constant `ROOT_CA_SUBJECT` has been renamed to `SDP_ROOT_CA_SUBJECT` ([#1057]).
	- BREAKING: Constants have been renamed/retyped ([#1057]):
	- `DEFAULT_CA_VALIDITY_SECONDS` has been renamed to `DEFAULT_CA_VALIDITY` and now is of type `stackable_operator::time::Duration`.
	- `ROOT_CA_SUBJECT` has been renamed to `SDP_ROOT_CA_SUBJECT`.

[NickLarsenNZ]

I know it was existing behaviour, so no change required now, but I don't think we should make any certificate usable as a Client Cert. It should be intentional.

[NickLarsenNZ]

Just checking what happens if there are no sans (note to self, see if tests show it).

Nice, there is a test for the empty sans.